Your HP printer won't burst into flames, but you still have reasons to worry

It certainly makes for a colorful image: A hacker manages to finagle his way into your printer and pull off a little trick that makes the trusty HP catch on fire! That's what some early coverage of research conducted at Columbia University may have led you to believe. Fortunately, that's not the case. Put away the fire extinguisher and take a breath.

Yes, researchers led by Salvatore Stolfo, professor of computer science at Columbia, concluded that a hacked printer could be made to repeat actions so often and so quickly that the paper inside could turn brown, but they caution that that is not the same thing as flames shooting out of your printer.

"There is a failsafe device on the printer that works effectively," says Stolfo. "We came close, but no cigar. Not able to actually create fire."

But what the hacker can do is more insidious and potentially more damaging. "The danger," he says, "is far greater than igniting paper in a printer. The danger is that virus writers could inject software into the printer that reveals private, personal and sensitive information. For example, the printing of your personal documents that may include your personally identifiable information, your tax forms, things of that nature. It is conceivable that that information could be scraped for data to be used for identity theft."

That, he says, could happen. "By printing a specially crafted document that looks entirely normal, will print out entirely normal, but by having done so, it could install malicious software into the printer when that document is being printed on the printer. This is the core operating system of the printer that is being replaced by malicious software and that is the first demonstration by our lab and it's quite unique and particularly dangerous."

We spoke to Keith Moore, a chief technologist at HP, who admits that there is a vulnerability to the printers tested and that HP is still going over the data presented by Stolfo's team. "We're still trying to replicate the behavior from Columbia University, so we have two model numbers that we're looking at right now in our lab," he says.

As for what HP will do to address it, Moore says, "We'll issue a software patch if we're able to replicate the defect. We take security situations very seriously."